I've run 5 or 6 different mail servers over the past 10 years. Originally before O365 I was an exchange admin, then postfix, iRed, mailcow, mail gun, you name it. Hosted on every cloud provider, even in our colo with part of a private /24 allocation with good reputation (built since 1997, gawdamn). Every sort of header combination, tls setup, and no blacklists. Always 100% alignment, including strict rejection policy (best results even over quarantine).
Does not matter, if you're sending from custom domain not handled through a big name, expect the spam box with Gmail. Yahoo and Outlook are fine, but Gmail is the bane.
I've spent maybe 100 hours of my own over this last year and know what I realized? Nobody cares about email anymore, except for automated account management stuff (login, PW reset). Businesses pay the $3 /mo / seat for fastmail and don't think twice.
But the current trend is toward social chat (discord or Whatsapp) and most the people who own an iPhone just use their apple ID email for everything.
Although I am a fervent supporter of open protocols and believe email (with pgp signing) is an awesome long form communication format... Face it, it's going the way of the fax machine.
I’ve had to relax my SPF record to include the entire mail pool of my ISP to be able to send to anything hosted by Microsoft. I tried to liaise with them directly, and through Linode, but they refused to exclude the IP from their opaque blocklist. Their proposed solution was to change the IP of the VPS, but that’s just agreeing to play whack-a-mole with a bad faith actor.
There should be a path to greater transparency and accountability from the SMTP cartels, but I’m at a loss as to how that can manifest.
It would be crazy of Microsoft to look at all Received-Hearders and want everything mention there in the SPF record. If that is what really happens, than you should exclude this information from the header. (mask-src on Opensmtpd. Pretty sure Postfix has that option to, but haven't used it in a decade, so I can't tell you the syntax.)
The only way I’m currently able to deliver anything to domains hosted by Microsoft is to expand my SPF record to include my ISP’s mail hosts, and route delivery through them.
Microsoft, and the other SMTP cartel thugs, are undermining the protections these protocols were designed to provide.